policy/frameworks/files/detect-MHR.bro

TeamCymruMalwareHashRegistry

Detect file downloads that have hash values matching files in Team Cymru’s Malware Hash Registry (http://www.team-cymru.org/Services/MHR/).

Namespace:TeamCymruMalwareHashRegistry
Imports:base/frameworks/files, base/frameworks/notice, policy/frameworks/files/hash-all-files.bro
Source File:/scripts/policy/frameworks/files/detect-MHR.bro

Summary

Runtime Options

TeamCymruMalwareHashRegistry::match_file_types: pattern &redef File types to attempt matching against the Malware Hash Registry.
TeamCymruMalwareHashRegistry::match_sub_url: string &redef The Match notice has a sub message with a URL where you can get more information about the file.
TeamCymruMalwareHashRegistry::notice_threshold: count &redef The malware hash registry runs each malware sample through several A/V engines.

Redefinitions

Notice::Type: enum  

Detailed Interface

Runtime Options

TeamCymruMalwareHashRegistry::match_file_types
Type:pattern
Attributes:&redef
Default:
/^?((^?((^?((^?((^?((^?((^?(application\/x-dosexec)$?)|(^?(application\/vnd.ms-cab-compressed)$?))$?)|(^?(application\/pdf)$?))$?)|(^?(application\/x-shockwave-flash)$?))$?)|(^?(application\/x-java-applet)$?))$?)|(^?(application\/jar)$?))$?)|(^?(video\/mp4)$?))$?/

File types to attempt matching against the Malware Hash Registry.

TeamCymruMalwareHashRegistry::match_sub_url
Type:string
Attributes:&redef
Default:"https://www.virustotal.com/en/search/?query=%s"

The Match notice has a sub message with a URL where you can get more information about the file. The %s will be replaced with the SHA-1 hash of the file.

TeamCymruMalwareHashRegistry::notice_threshold
Type:count
Attributes:&redef
Default:10

The malware hash registry runs each malware sample through several A/V engines. Team Cymru returns a percentage to indicate how many A/V engines flagged the sample as malicious. This threshold allows you to require a minimum detection rate.

Copyright 2016, The Bro Project. Last updated on January 10, 2019. Created using Sphinx 1.7.5.